bhyve/nvme: Fix Infinite loop in queue processingHEADmain

In the functions pci_nvme_handle_admin_cmd and pci_nvme_handle_io_cmd
infinite loops are possible in the bhyve process if the sq->tail value
is greater than sq->size.

An attacker could overload the host CPU.

Fix is to validate that doorbell values:
 - Are for a valid (i.e., created) queue
 - Are not the same as the previous value
 - Fit within the available capacity

The emulation will generate an Asynchronous Event Notification (Invalid
Doorbell or Invalid Doorbell Value) if enabled and ignore the doorbell
update.

While in the neighborhood, remove a redundant bounds check.

Reported by:	Synacktiv
MFC after:	1 week
Security:	HYP-14
Sponsored by:	Alpha-Omega Project
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D46064

0 files changed, 0 insertions, 0 deletions